Hey! The 2FA feature of Discourse is great to have, we are enabling it for all our admins to keep the forums safer. On the other hand, it seems to be missing one commonly used feature, recovery codes (that is a handful of pre-generated codes, that can be used in place of the 2FA token, if the 2FA device is lost - e.g. one’s phone breaks an needs to reinstall).

Is it something that I’ve missed, or is there really no such function yet? If it doesn’t exists, is it in the plans?

I’m looking into adding support for 2FA backup codes, this is what I came up so far and I’d really appreciate some feedback. This is very basic flow so far, but hopefully enough to raise some questions/points to consider.
In order to enable backup codes, primary method (TOTP) has to be enabled.
[Slice%201]
After enabling backup codes, user gets to copy and store the codes. If user loses backup codes, they have to reset them and get the new set of codes.
[Slice%204]
Backup code can be used e…